I have a standalone instance of Splunk. I am running both:
Splunk Add-on for Unix and Linux, and
Splunk App for Unix.
Since the Splunk App for Unix has reached End-of-Life and is not required in my deployment anymore i am looking to remove it. Initially i tried just using Splunk command:
./splunk remove app splunk_app_for_nix
However noticed that this impacts the index "os" used by the Splunk Add-on for Unix and Linux. The index no longer appears in the web gui under settings>indexes. If i look in the CLI, i can still see data in /opt/splunk/os/db, so the data still appears to be there, but is not being used apparently.... I am getting Message saying "Received event for unconfigured/disabled/deleted index=os ...", so am not entirely sure what the status of this index is now.
What is the best way to remove this app without affecting the index?
Thanks,
... View more